An application has been written that publishes custom metrics to Amazon CloudWatch.Recently, IAM changes have been made on the account and the metrics are no longer being reported.Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?Read More →
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.Which action should the Engineer take based on this situation? (Choose three.)Read More →
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations.These events must be recorded and retained in a centralized location for both current and future AWS regions.What is the SIMPLEST way to meet these requirements?Read More →
The Security Engineer is managing a web application that processes highly sensitive personal information.The application runs on Amazon EC2.The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.Which architecture should the Security Engineer use to meet these requirements?Read More →
A company has a customer master key (CMK) with imported key materials.Company policy requires that all encryption keys must be rotated every year.What can be done to implement the above policy?Read More →
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:✑ Each object must be encrypted using a unique key.✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.✑ AWS KMS must automatically rotate encryption keys annually.Which of the following meets these requirements?Read More →
A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application LoadBalancer (ALB).The ALB is terminating TLS and balancing load across ECS service tasks.A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that it is never accessible directly.How should the security engineer build the MOST secure solution?Read More →
A city is implementing an election results reporting website that will use Amazon CloudFront.The website runs on a fleet of Amazon EC2 instances behind anApplication Load Balancer (ALB) in an Auto Scaling group.Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket.A security engineer needs to ensure that all external access to the website goes through CloudFront.Which solution meets these requirements?Read More →
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion.The encryption key can be no more than 10 days old or encrypt more than 2^16 objects.Any encryption key must be generated on a FIPS-validated hardware security module (HSM).The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.Which approach MOST efficiently meets the company’s needs?Read More →
A large government organization is moving to the cloud and has specific encryption requirements.The first workload to move requires that a customer’s data be immediately destroyed when the customer makes that request.Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.Which solution will meet these requirements?Read More →
© 2026. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.